December 19, 2018

Concerned About Sharing Your Personal NRIC Details? Here's What to Do

In 1965, the Singapore government created the National Registration Identity Card (NRIC) as a means of identification for all citizens and permanent residents.

Whilst the NRIC may be viewed as just a string of numbers assigned to every individual at birth, the significance of these digits cannot be taken lightly as it uniquely identifies every Singaporean or Permanent Resident.

However, organisations in Singapore have, for the sake of convenience, grown accustomed to request that customers provide them with NRIC details in exchange for the provision of goods and services. For instance, in many cases individuals still need to submit their NRIC details in order to participate in lucky draws, or even to register for gym memberships.

Such practices have made customers less wary of how their personal data could be compromised. However, recent data breaches in Singapore, have made individuals more cautious of the personal data they are giving out to organisations. Hot on the heels of the SingHealth data breach, Singapore’s Personal Data Protection Commission (PDPC) announced tighter rules to be implemented on the collection, use or disclosure of identity documents.

From 1 September 2019, organisations will no longer be allowed to ask for NRIC details and other identification documents as they see fit. Instead, they will only be allowed to do this when there is an important reason to identify an individual to a high degree of certainty such as verifying a patient’s identity for medical treatment. What this means for individuals is that if they don’t feel comfortable in sharing their personal NRIC details in some cases, they don’t necessarily have to.

When to share or not to share?

It is important to know when it is absolutely necessary to share NRIC details and when not to, for example:

  • Under the Private Hospitals and Medical Clinics Regulations, all healthcare institutions are required to carry out proper documentation and accurate verification of a patient’s identity to ensure that medical care and treatment is provided to the right patient.
  • Telecommunication companies who provide mobile phone services are required to collect customers’ NRIC information and keep a copy of their NRIC as evidence of identity as per the Telecommunications Act.
  • Registered private education institutions are also required to keep proper records of their enrolled students’ NRIC numbers.

There are some instances where an organisation may collect personal data without the consent of the individual or from a source other than the individual, for example:

  • When the collection is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual
  • When the personal data is publicly available
  • When the collection is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services.

Consumers should also know the circumstances in which their personal data should not be collected, used or disclosed, for example:

  • When redeeming free parking at a mall
  • When purchasing movie tickets
  • When signing up for retail member programmes
  • When filling up surveys
  • When entering a private condominium 
  • When visiting a commercial building
  • When renting a bicycle.

Tips for safeguarding personal data  

Apart from understanding the PDPC’s guidelines on the collection, use and disclosure of personal data, individuals should be careful only to provide their NRIC details when absolutely necessary.

Organisations that hold personal data need to exercise great caution in ensuring that the collection, use and disclosure of the information abides by the PDPC’s guidelines.

It is also a best practice for organisations to adopt a clean desk policy or shred-it All policy for unwanted documents and ensure that any hard drives which are no longer required are disposed of securely. These are important practices to maintain so that no personal data is lost.

Start Protecting Your Business           

An organisation that integrates a personal data protection plan into its business processes can help reduce the risk of a data breach.

Learn more about how Shred-it can protect your documents and hard-drives by contacting us for a free quote and a security risk assessment.